diff --git a/src/research/find_hidden_file.nim b/src/research/find_hidden_file.nim index 4f38f90..4028bf5 100644 --- a/src/research/find_hidden_file.nim +++ b/src/research/find_hidden_file.nim @@ -3,25 +3,30 @@ import strutils proc find_hidden_files(find_dir: string) = - # FIXME: if there are 2 hidden files like aaaa, aaab -> likely this loop will miss aaab and skip to aaac. It's technical issue - # FIXME: if the node before malware has the name too long, this script can't get the name of next node hence can't detect + #[ + Find hidden file / folder by node's d_name comparsion + 1. Get name of current node + 2. Get the name of next node in d_name (d_name[255] could contain next node's name depends on lenght) + # BUG: either 1 name is too long -> can't get the value -> bypass + 3. Compare the name from d_name with current node's name (if hidden by malware -> different) + # BUG: if 2 hidden nodes are next to each other, the 2nd hidden won't be detected + 4. If current node is nil (previous node was last node) then break. (next node's name from previous loop should be null) + # BUG:If current folder has too many node, it will show false positive at step 4. + ]# var f_dir = opendir(cstring(find_dir)) save_node_name: string - + while true: var r_dir: ptr Dirent = readdir(f_dir) if r_dir == nil: - # FIXED: missing hidden file in /dev/shm with perfctl linux rootkit. Reason: hidden file is the last link in node - # FIXME false positive (?) /usr/bin/make-first-existing-target (belong to package `make`) if not isEmptyOrWhiteSpace(save_node_name): - echo "Malware: ", save_node_name + echo "Malware (last): ", save_node_name break # Compare name of current node with save name from previous loop (which suppose to be name of this node if no function hooking) - # FIXED: if the name of next node is too long, only starts with is correct (which also can cause false positive). Parse using cast[cstring] fixed it (no NULL) if save_node_name != "" and save_node_name != $cast[cstring](addr(r_dir.d_name)): echo "Malware: ", save_node_name @@ -31,9 +36,8 @@ proc find_hidden_files(find_dir: string) = save_node_name = "" else: # Parse name of next node using location - # FIXED: validate value if next node's name is very long so it doesnt end with NULL save_node_name = $cast[cstring](addr(r_dir.d_name[r_dir.d_reclen])) discard f_dir.closedir() -find_hidden_files("/dev/shm/") +find_hidden_files("/usr/lib/x86_64-linux-gnu/")